MAL-2026-4529

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudpivot/MAL-2026-4529.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4529

Published

2026-05-23T08:02:30Z

Modified

2026-05-26T06:02:24.503445043Z

Summary

Malicious code in cloudpivot (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c)

On npm install, the package.json preinstall hook runs wget against http://194.120.24.50:7374 with query parameters carrying $(whoami), $(pwd), $(hostname), and a base64-encoded copy of /etc/passwd. The package ships no functional code — main: index.js is declared but no index.js is present — so the only effect of installing the package is the exfiltration probe firing automatically. The destination is a bare IP over plain HTTP, with no relation to any declared publisher, and the package description itself references Burp Collaborator abuse. Any developer or CI system that runs npm install cloudpivot leaks host identifiers and the local user database to the operator of 194.120.24.50.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-23T08:22:24Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c",
            "id": "IN-MAL-2026-004300",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:19.864106554Z"
        },
        {
            "modified_time": "2026-05-23T08:02:30Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "e9fbe3aa0aad306420c2f7b34389ded8e1fc6e044a2af36789935051475f5284",
            "id": "IN-MAL-2026-004299",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:19.765042781Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cloudpivot

Package

Name: cloudpivot; View open source insights on deps.dev
Purl: pkg:npm/cloudpivot

Affected ranges

Affected versions

1.*

1.0.1

1.0.3

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "b399506fb05a89ad0070a3359d1532e08697bb6e3fb2900c6e65f6bbeee3ee6b",
            "tlsh": "7d11efaa6a70cb366df84f343ba08316b10377af04717d0574739a84238e4f2241ce21",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-BhlUsRdIAiYfJTqguNXTEtSmkpbcPAw0EQkVFcTpEtiApT9gQjOBiSuIE1air+ysPNzjC2FiWHszMuVM4QI3wg==",
                "sha1": "be1b3a4d808a612d85bf8a0bb7aaa5c83bddd692"
            },
            "filename": "cloudpivot-1.0.3.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudpivot/MAL-2026-4529.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]